The ICO will be expected to do “more of everything” when new data compliance law comes into force

Elizabeth Denham - Image credit: DCMS

The Information Commissioner’s Office (ICO) is to be given more flexibility over pay in a bid to ensure it can recruit and retain the right people to deal with the extra work of the EU’s tough new GDPR legislation.

Under policy introduced by former chancellor George Osborne, UK public sector bodies have, since 2010, faced tight restrictions on what they can pay their staff, including a two-year freeze and subsequent pay rise cap of one per cent which remained in force until last year.

Those restrictions have been keenly felt in digital, data and technology roles, where market rates are often significantly higher than those able to be offered by the public sector.

In a wide-ranging speech at an event held last week by the Association of Chief Executives and the Public Chairs' Forum, Elizabeth Denham, UK information commissioner at the ICO, set out the watchdog’s efforts to boost its firepower as it prepares for the “huge challenge” of GDPR.

She revealed that it had secured greater pay freedom from a Treasury that has kept a tight grip on public sector pay in recent years.

“The UK is a leader in data protection,” she told the audience.

“It’s one of the things that attracted me to this job – and the Government has made clear its intention that we retain our world-class status as well as making the UK the safest place to be online.

“I am strengthening my team in number and expertise and we’re moving the ICO to a place where we can deliver our new responsibilities and obligations to organisations and, importantly, the public.

“Earlier this month Treasury has provided the ICO pay flexibility for the next three years – this is critically important to be able to retain our expert staff and attract new technologists, lawyers and auditors.”

Although Denham did not reveal further details of the deal with the Treasury, previous such deals in Whitehall have involved promises to improve productivity.

Denham made clear that her organisation was expecting major new responsibilities from the UK Government’s Data Protection Bill, which makes GDPR part of UK law, and she told the conference that the ICO was “expecting more of everything” because of the change in legislation.

The Data Protection Bill would, she said, mean “more breach reports because the law requires it in high risk cases, more complaints, because people will be better informed of their rights, [and] greater engagement as organisations turn to us for advice at the outset”.

Denham also used her speech to reveal that the ICO would shortly be publishing what she called a “road map… to help organisations navigate the Data Protection Bill”, but she warned public sector chiefs against “complacency” in assuming their data protection policies are already up to scratch before May's GDPR deadline.

“The tone has to come from the top," she warned.

"This is about commitment over compliance. It is up to you and your boards and your leadership teams to foster a culture of transparency and accountability as to how you use personal data.

“Equip your staff with the training and tools they need to get data protection right.

“Demonstrate to them that data protection is not a box-ticking exercise but a commitment to people that you will handle their personal data with care and respect.”

The General Data Protection Regulation (GDPR) is designed to give EU citizens more control over the way their personal information is used, replacing legislation that was drafted before the widespread adoption of the internet.

It will come into force in all EU member states from 25 May 2018, and is expected to have major compliance impacts on public authorities across the UK.